• Quick note - the problem with Youtube videos not embedding on the forum appears to have been fixed, thanks to ZiprHead. If you do still see problems let me know.

16 Billion Passwords Exposed

My bank logon requires not just MFA, but a FIDO2 physical security key, ditto my main business and personal email accounts. I do no banking on a cell phone, only on my PC, where I have a better understanding of keeping my system safe. Passwords are all impossibly complex and require a dedicated password manager. Passkeys are, as I understand them, also a nice move, as you must be on an approved device for them to function.
 
Last edited:
plague311 said:
I don't know how reliable that site is but I've used it for years and it seems to check out and align with known hacks my email was apart of. Anecdotal but do with it what you will
Click to expand...

I wasn't seriously disparaging the site in my previous post. I just thought it was amusing that an email address that didn't exist a decade ago was in a dump from 12 years ago.

In addition to the possible explanations others have posted, I suspect that hackers might have later augmented the collection of data from that hacked site by adding other data to it in an attempt to make the collection larger and appear more impressive.

That was one of only three sites listed for my address and the only one where the data supposedly had the password. The other two sites used MFA and passwords are encrypted.
 
Last edited:
Hlafordlaes said:
My bank logon requires not just MFA, but a FIDO2 physical security key, ditto my main business and personal email accounts. I do no banking on a cell phone, only on my PC, where I have a better understanding of keeping my system safe. Passwords are all impossibly complex and require a dedicated password manager. Passkeys are, as I understand them, also a nice move, as you must be on an approved device for them to function.
Click to expand...

You've definitely got a good system. Crazily enough where I work we require 15 character passwords and MFA. Unfortunately it did absolutely no good when a bad actor was able to acquire their session token and used it to access their O365 account. I'd never seen something like that actually done in the wild, but sure enough. Just goes to show that nothing is truly secure.
 
Accessing my password manager also requires the FIDO2, forgot to say.

NB: Buy two devices and identify both with each system. Carry one on a keychain, keep the other securely stored. Lose a one-and-only FIDO2, and traveling up a certain creek with no paddle is guaranteed.
 
Last edited:
You must log in or register to reply here.

Back
Top Bottom